The Financial Action Task Force (FATF) is the international body that coordinates the development of international standards on combating money laundering and the financing of terrorism and weapons proliferation. FATF implements these standards through a series of recommendations to national governments, who are ultimately responsible for their implementation.
On March 19 2021, FATF published a draft of its upcoming revised guidance (the draft guidance) on the recommended risk-based approach applicable to entities engaging in activities involving virtual assets (VAs), including traditional financial institutions, as well as entities considered virtual asset service providers (VASPs). The proposed revised recommendations in the draft guidance (the VA Recommendations) clarify FATF’s most current recommendations contained in the final guidance on VAs and VASPs, which was published in June 2019 (the 2019 guidance). The draft guidance is currently open to public consultation and is expected to be published in final form in June 2021.
The 2019 guidance explicitly placed anti-money laundering and countering the financing of terrorism AML/CFT obligations on entities considered VASPs. However, the definition of VASP in the 2019 guidance was relatively narrow, focusing on those entities, such as centralised digital asset exchanges, with a custodial relationship with VAs on behalf of customers (i.e., knowledge of the private keys needed to move the VAs from one blockchain address to another).
It was also generally clear that providers of non-custodial software wallets (i.e., software that allow a user to control their private keys and interact with others without reliance on a third party), providers of multi-sig services (i.e., where a third party may control a “1 of n” private key to provide added security to a user), software based “decentralised exchanges” (i.e., platforms that allow for the atomic or instantaneous exchange of one VA for another without the use of a third party), and other non-custodial services, were not considered VASPs.
The draft guidance significantly expands on the 2019 guidance in a number of ways, including:
- Providing guidance on how the VA Recommendations apply to what FATF refer to as “so-called stablecoins” (an intended swipe at the marketing of certain VAs);
- Providing additional guidance on the risks and potential risk mitigants for peer-to-peer transactions;
- Providing updated guidance on the licensing and registration of VASPs;
- Providing additional guidance for the public and private sectors on the implementation of the travel rule;
- Including principles of information-sharing and cooperation amongst VASP supervisors.
However, the most important aspect of the draft guidance is likely that it broadens the definition of VA and clarifies that the definition of VASP extends well beyond that suggested in the 2019 guidance. In particular, the draft guidance clarifies that both of these definitions are intended to be read expansively by national AML/KYC regulators and that there should not be a case under national financial regulations where a financial asset is not covered by the FATF Standards, either as a VA or as a traditional financial asset.
Squarely in the sights of the draft guidance is the rapidly growing area of decentralised finance (DeFi). The term DeFi is used to refer to financial tools built on open (permissionless) blockchain-based networks, most notably Ethereum. These tools utilise VAs, such as bitcoin, ether, and other digital assets compatible with the ERC-20 standard, and do not involve the “custodying” of these assets by any individual or business. Instead, the relevant VAs are sent to the address of a smart contract (computer code stored on the relevant blockchain network) where the VAs will remain locked until a user or the relevant code sends the assets elsewhere.
Accordingly, scale in DeFi is usually measured by total value locked (TVL) – the total value (usually expressed in terms of US dollars) of all the VAs locked in smart contracts at any given time. As of a recent date, almost $50 billion in VAs were locked in DeFi smart contracts.
Unsurprisingly, DeFi platforms are generally promoted as being decentralised, although what is meant by this term in this context is open to debate. What can be said is that almost all DeFi products and services are automated, meaning that once a transaction is initiated by a user, smart contracts will carry out the transaction transparently and deterministically without the use of intermediary entities. Anyone with access to the internet can confirm the outcome of the transaction (although parties are identified only pseudonymously through the blockchain addresses used to execute the transaction).
Proponents of DeFi seek to create decentralised alternatives to nearly every traditional financial service, including lending, retail payments, deposit and savings accounts, swaps, options, and derivatives transactions, insurance, and asset trading, exchange, and management.
How does all this magic occur? DeFi is able to function without intermediaries because of a number of unique features. First, all DeFi transactions are either prefunded by the user or overcollateralised by the borrower. Second, due to the automation built into the various protocols, remedial actions (such as margin calls or default enforcement) can occur without the use of any time-consuming and costly legal process (and, of course, without regard to any traditional rights parties may otherwise have under any bankruptcy, reorganisation, or similar laws).
Third, many different digital assets have developed extremely high levels of liquidity (at least most of the time), meaning that pledged assets can be disposed of automatically and almost instantaneously without needing to relay on human intervention to find a buyer.
See also: Coinbase IPO will be a turning point
Most importantly, these platforms seek to distinguish between the smart contract code that is readily available to anyone interested to copy and, perhaps, improve upon and the individuals and legal entities they have formed to exploit and benefit from these various codebases. The former, it is argued, are the equivalent of public utilities while the latter are legitimate businesses that seek to benefit from these utilities in the same way that any other business may choose to do. Complicating matters, many DeFi platforms have issued digital assets (known as governance tokens) that allow the owner of the token to vote on certain governance matters and, potentially, receive a portion of the fees paid by users of the platform (generally, in the form of an in-kind distribution of portions of the digital assets borrowed or traded on the platform).
Things move very quickly in the world of blockchain. When the 2019 guidance was put in place, DeFi was bare a blip on the radar. Most VAs were transferred between centralised digital asset exchanges or in privately negotiated transactions from one wallet to another (known as the OTC market). At that time, financial regulators around the world seemed content to focus on ensuring that these centralised entities implemented rigorous KYC/AML compliance programs and left it there.
However, things changed dramatically in the summer of 2020 (which came to be known as DeFi Summer). A confluence of factors led to an explosion in the use of these protocols and a virtuous cycle (which some might call a bubble) of demand for, and interest in, DeFi protocols. These factors included the successful deployment and maturing of a number of DeFi protocols, including Compound (which recently became the first DeFi protocol to exceed US$10 billion in TVL), Uniswap, and Aave; the introduction of rewards in the form of governance tokens and other new VAs being distributed to those who made their existing VAs available for liquidity for trading by others (known as liquidity farming); increasing prices of “base assets” (bitcoin and ether) allowing more investors to feel bullish about experimenting with DeFi, and the Covid-19 pandemic causing more people to find themselves indoors with time on their hands. This activity fuelled across-the-board asset price increases and in turn only created greater enthusiasm among users.
This rapid growth in VA activity through the use of DeFi protocols without a readily identifiable intermediary to be subject to AML/KYC compliance obligations may have caught FATF off guard. DeFi protocols generally operate in as frictionless a manner as possible and very few of these protocols are programmed to provide any sort of automated KYC/AML compliance checks. In fact, it is the opposite – most of these protocols allow users to interact with the protocols without any checks or identification whatsoever.
This raised a critical question for FATF: what would become of financial compliance if significant financial activity shifted to decentralised finance?
The draft guidance provides a simple answer: there is no such thing as “decentralised finance”. Introducing FATF’s revised position, the draft guidance states: “Where customers can access a financial service, it stands to reason that some party has provided that financial service, even if the act of providing it was temporary or shared among multiple parties.” The draft guidance then expounds on this idea in greater detail:
The determination of whether a service provider meets the definition of a VASP should take into account the lifecycle of products and services. Launching a service that will provide VASP services, for instance, does not relieve a provider of VASP obligations, even if those functions will proceed automatically in the future, especially but not exclusively if the provider will continue to collect fees or realize profits, regardless of whether the profits are direct gains or indirect. The use of an automated process such as a smart contract to carry out VASP functions does not relieve the controlling party of responsibility for VASP obligations. For purposes of determining VASP status, launching a self-propelling infrastructure to offer VASP services is the same as offering them, and similarly commissioning others to build the elements of an infrastructure, is the same as building them.
The FATF’s position here amounts to a very dramatic shot across the bow to the DeFi community. If you are building the codebase for a DeFi protocol you intend to exploit or if you are otherwise directly or indirectly economically benefiting from that codebase, then, if the draft guidance is finalised in largely its current form and then adopted at the national level, you likely will be considered a VASP. Once you are considered a VASP, you would then be subject to the full range of compliance obligations that a centralised entity, be it a traditional financial institution such as a bank or broker-dealer, or a centralised digital asset exchange or custodian, would have.
This would mean that not only would an identifiable person or entity be required to conduct AML/KYC checks on the person that controls each blockchain address that interacts with the DeFi protocol, but also that sanctions checks – a notoriously tricky exercise that frequently produces false positives due to subtle differences in the spelling of individuals’ names – would also need to be conducted.
A determination would need to be made for each transaction as to whether a suspicious transaction report (or the equivalent) would need to be created and submitted to the appropriate authority. A qualitative risk-based customer due diligence exercise would need to be conducted on the persons using the protocol and the protocol’s VASP would need to consider whether they are dealing with other VASPs such that they have entered into the equivalent of a correspondent banking relationship with that VASP (and then conduct a risk-based diligence exercise on that other VASP).
The VASP for the DeFi protocol would also need to figure out how to implement the travel rule (a requirement designed for wire transfers between traditional financial institutions where information about the sender and recipient is tracked by the financial institutions processing the transfer and available to law enforcement and financial intelligence units, among others). In the United States, these new VASPs would likely need to obtain money transmission licenses in a large number of states.
Although some of these requirements could in theory – at least to some extent – be provided in an automated manner consistent with the draft guidance, there are (at least) three fundamental problems. First, large stores of personal data about the actual persons or businesses conducting the transactions will have to be stored somewhere, opening up the possibility of a cure worse than the disease – a major breach of these data stores, a particular risk if compliance is being implemented through the use of rapidly assembled automation platforms that haven’t been robustly tested. Second, many of FATF’s recommendations, being intended for centralised entities, have judgmental elements that are simply not possible to implement with automation. Hence, the apparent death knell for DeFi.
Finally, as the draft guidance is framed, there could easily be multiple non-affiliated persons or entities that would be considered a VASP with respect to any given DeFi protocol. The draft guidance gives no clue about how these multiple VASPs for the same protocol are meant to coordinate with each other.
Impact on traditional and decentralised finance
Prior to the release of the draft guidance, there was a reasonably clear correspondence between the responsibilities imposed on traditional financial institutions and those imposed on centralised businesses operating in the VA space. Although there are not insignificant costs involved in developing and maintaining a compliance programme consistent with the national implementations of FATF’s recommendations, there is no practical reason why the FATF recommendations could not be adopted by VASPs that operate on a centralised basis. Likewise, as traditional financial institutions increase their engagement with VAs, it will be relatively straightforward for these entities to complement their existing compliance programs with additional elements designed specifically for their dealing in VAs.
The same is not true for the new class of inadvertent VASPs that would be created by implementation of the draft guidelines. These are individuals or businesses that helped to create DeFi protocols, who otherwise benefit economically, or who effectively control these protocols, often through the ownership of governance tokens. Whether an individual or a business, these persons very likely do not have either the economic wherewithal or the needed technical expertise to fulfil the obligations of VASP.
Moreover, there are many practical questions that immediately arise when attempting to apply compliance requirements on these otherwise unsuspecting persons. For example, as noted above, there could be more than one VASP for any given DeFi protocol (for example, any holder of governance tokens could be considered a VASP under the draft guidance). How would the requirements apply to these multiple entities? Might one or more of these inadvertent VASPs cease being a VASP with respect to the protocol at some point? Would selling your governance tokens mean that you were no longer a VASP? If you bought some or all of the tokens back, would you become a VASP again? If so, what does all this mean for recordkeeping and reporting by these inadvertent VASPs?
In addition, FATF’s overall recommendations are clearly intended to apply to institutions that are able to employ a chief compliance officer, among many other things; how would a single individual comply? What penalties would apply to an individual for failing to comply? Finally, what about DeFi protocols that have already been created and are operational (but not otherwise in compliance and unlikely to change that status) – would these be grandfathered in some way or would there have to be a wave of look-back enforcement actions?
One might initially expect that the net result of the above situation (which might broadly be categorised under “it’s a mess”) would be to discourage the creation and maintenance of new DeFi protocols, full stop, and ensure that most if not all activity with VAs eventually takes place using centralized services. This would of course address the FATF’s concerns about how to migrate their existing compliance framework originally designed for the fiat financial system into the world of VAs. This outcome would likely also suit traditional financial institutions, many of which initially steered wide of permissionless blockchain networks and the digital assets they host, and instead leaned into the much safer idea that the future of blockchain technology was in permissioned networks and distributed ledger technology (DLT). These institutions are now playing catch-up as they explore how to provide services involving a wide range of digital assets.
However, the DeFi genie may not head back into the traditional finance bottle quite so easily. The availability of interoperable, composable and transparently deterministic decentralised finance protocols has struck a major chord around the world. The interest in DeFi extends well past “crypto” aficionados. Traders, bankers, and investors from the world of traditional finance are daily discovering DeFi and abandoning traditional roles to help be a part of the DeFi revolution.
Institutional funding is streaming into the space, funding all manner of experimentation and research. Teams of only two or three skilled developers can create innovative and popular new protocols in a mere manner of months. Word of new protocols spreads virally among a devoted and well-informed community without the need for traditional marketing budgets and external advertising agencies.
Recognizing that DeFi is still in its infancy, participants readily acknowledge the risks involved but maintain that more centralised regulation is not the answer. Instead, proponents point to the remarkable level of transparency inherent in DeFi protocols as a major advantage over traditional financial services. Where regulators can watch the transactions occurring on DeFi protocols in real time as they occur, supervision of traditional finance is frequently a matter of “closing barn doors” – regulators generally only get data after the underlying transactions have occurred.
Moreover, one of most significant apparent drawbacks of DeFi – the fact that activity is extremely capital intensive due to the required overcollateralization of most activity (especially when compared with the equivalent activity in traditional finance) – has been addressed in a very DeFi way. Demand for credit in DeFi has led to the development of a vibrant on-chain lending market in which participants in DeFi transactions can borrow through other DeFi protocols. Hedging platforms and even protocols that resemble insurance are rapidly coming online.
The NFT wildcard
One almost completely unforeseen development over the last several months has been the exponential increase in the awareness of, and interest in, non-fungible tokens (NFTs). Popularity has grown significantly among the general public – so much so that the widely distributed US television programme, Saturday Night Live, recently featured a skit on NFTs.
NFTs are unique blockchain-based digital assets that can reference artworks, video content (such as sports highlights), music files, magazine covers or virtually anything else. NFTs allow the owner to assert a special relationship with the underlying asset – much like having an autographed sports card. However, because NFTs are built using composable smart contract code, there is much more they can do, including changing the underlying asset referenced upon transfer or reacting to the geolocation associated with the wallet address in which the NFT is held. Although NFTs are not inherently part of the DeFi landscape, their compatibility with the many DeFi protocols already deployed and coming online means that they can be implemented in many ways. Recently, the latest version of the Uniswap digital asset exchange protocol (known as v3) implemented NFTs. Many other uses are anticipated over the coming months.
FATF nodded toward NFTs in the draft guidance, stating that:
Flexibility is particularly relevant in the context of VAs and VA activities, which involve a range of products and services in a rapidly-evolving space. Some items—or tokens—that on their face do not appear to constitute VAs may in fact be VAs that enable the transfer or exchange of value or facilitate [money laundering or terrorism finance]. Secondary markets also exist in both the securities and commodities sectors for “goods and services” that are fungible and transferable. For example, users can develop and purchase certain virtual items that act as a store of value and in fact accrue value or worth and that can be sold for value in the VA space.
Although this observation is not surprising – traditional artworks have acted as a readily transferable store of value for many years and have likewise been used as part of the financing illicit activities for equally long, physical artworks must be handled by identifiable entities that may be subject to the FATF recommendations. NFTs are another matter altogether. They are highly liquid and can be easily transferred without intermediaries, demonstrating the challenges of attempting to import the traditional anti-money laundering framework into the realm of digital assets.
NFTs move fluidly among owners (or decentralised protocols), transferring value at one moment; looking like a simple collectible at another. Because of their programmability, NFTs can even shapeshift depending on the type of wallet in which they are stored. Imposing VASP status on anyone operating an NFT platform simply because virtually all NFTs have an inherent possibility of being used as a store of value may simply be a bridge too far for financial regulators in terms of achieving acceptance from the general public, yet failing to do so exposes an obvious exploitable loophole to consistent financial regulatory policy.
A way forward?
Many FATF observers believe that, regardless of the input received during the consultation period, the final version of the VASP Recommendations will likely closely resemble the draft guidance. That will leave it to national financial sector regulators to determine how best to implement FATF’s recommendations in the context of their local regulatory frameworks. In the United States, that brings attention to the Treasury Department’s Financial Crimes Enforcement Network (FinCEN). The robust dialogue between the major participants in the centralised digital asset space in the US (particularly digital asset exchanges) and FinCEN will be joined by all those interested in maintaining a viable DeFi ecosystem. It is harder to predict how these implementation discussions will play out.
That said, there is hope that many in the public sector will recognise the importance of allowing DeFi to grow and develop. Along with a potential for being used for illicit activities, it also has advantages from a regulatory perspective over the traditional financial system (which has suffered many “black eyes” over the past several years as a result of failing to prevent numerous significant cases of misuse in support of the financing of illicit activity).
At the same time, many DeFi proponents recognise that wholly unfettered DeFi protocols are invitations to abusive use by bad actors. The fact that little problematic activity in DeFi is known to have occurred at any significant scale so far may be attributed to the relative novelty of these protocols and the many practical risks still involved using them (criminals probably don’t like losing money through poorly audited smart contract code, either). Now is the time to find appropriate compromises – before a major AML/CFT incident on a DeFi platform occurs.
One possibility is for FATF (or national regulators) to accept a more bifurcated approach to regulating the use of DeFi protocols. This could mean recognition that companies that develop, manage and benefit from centralised on-ramps (websites providing user-friendly interfaces for DeFi protocol software) will be treated as VASPs (or perhaps a slimmed down version of VASP) in order to facilitate the wider use of DeFi protocols, while still allowing crypto-native sophisticates who do not need a slick user interface experience to continue to access the command line smart contract code for DeFi protocols without engaging with intermediaries or otherwise being considered a VASP.
Critically, in this approach FATF would also recognise that simply owning governance tokens for a DeFi platform would not cause each holder to potentially be considered a VASP with respect to the platform, even if the governance token entitled the holder to a portion of the trading or other revenue or fees generated by the protocol. At the same time, DeFi protocol developers would be expected to implement the best available automated KYC software to limit the potential for misuse.
In addition, in this model, individuals and businesses that are acting on behalf of themselves on a proprietary basis (as opposed to investing third-party funds) would not be subject to a penalty if they accessed the underlying command line smart contract code for DeFi protocols, but anyone managing money or other value for others would be required to go through a VASP-operated on-ramp.
Like most compromises, such an outcome might not completely satisfy either financial regulators or die-hard DeFi enthusiasts, but it might just provide a possible alternative to the apparently untenable position currently found in the draft guidance.See also: How blockchain can help drive sustainable finance
© 2021 Euromoney Institutional Investor PLC. For help please see our FAQs.